search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
608 stars 248 forks source link

Clarify root permissions for KCM #7274

Open 3XX0 opened 7 months ago

3XX0 commented 7 months ago

Is root supposed to be allowed to create arbitrary ccache without the need to setuid? I'm asking because https://docs.pagure.org/sssd.sssd/design_pages/kcm.html seems to suggest that it is possible

KRB5CCNAME=KCM:foobar kinit must not work unless done as root

However, when I try it I get the following

Name foobar is malformed [1432158296]: Credential cache name not allowed

And the code doesn't appear to make an exception for UID 0.

alexey-tikhonov commented 7 months ago

Well, despite https://github.com/SSSD/sssd/blob/7c6bc58a10022c6cc0ed516bc0ac5422705cfc91/src/responder/kcm/kcmsrv_ccache.c#L162

it doesn't work for me even for "list ccaches" case - KRB5CCNAME=KCM:1000 klist -A:

[kcm] [accept_fd_handler] (0x0400): [CID#46] Client [cmd klist][uid 0][0x5618ff4a4390][15] connected!
[kcm] [kcm_cmd_send] (0x0400): [CID#46] KCM operation GET_PRINCIPAL
[kcm] [kcm_op_get_principal_send] (0x1000): [CID#46] Requested principal 1000
[kcm] [ccdb_secdb_getbyname_send] (0x2000): [CID#46] Getting ccache by name
[kcm] [local_db_dn] (0x2000): [CID#46] Local path for [persistent/0/ccache/] is [cn=ccache,cn=0,cn=persistent,cn=kcm]
[kcm] [sss_sec_new_req] (0x1000): [CID#46] Local DB path is persistent/0/ccache/
[kcm] [secdb_container_url_req] (0x2000): [CID#46] Created request for URL persistent/0/ccache/
[kcm] [sss_sec_list] (0x0400): [CID#46] Listing keys at [persistent/0/ccache/]
[kcm] [sss_sec_list] (0x2000): [CID#46] Searching at [cn=ccache,cn=0,cn=persistent,cn=kcm] with scope=subtree
[kcm] [sss_sec_list] (0x1000): [CID#46] No secrets found
[kcm] [key_by_name] (0x0080): [CID#46] The container was not found
[kcm] [kcm_ccdb_getbyname_done] (0x1000): [CID#46] No cache found by name

I don't know if it never worked or was broken later. Neither I know what was the rationale to make (plan) an exception for 'uid == 0'. What's your use case? Why 'sudo -u foobar kinit' doesn't work for you?

3XX0 commented 7 months ago

Um interessting, so yeah maybe it was intended and got broken at some point. My use case is a little more involved since I'm accessing it programatically through libkrb5 and got surprised it didn't work. I can always do the setuid dance, I just wanted to avoid it if I didn't have to.

alexey-tikhonov commented 7 months ago

Neither I know what was the rationale to make (plan) an exception for 'uid == 0'.

@sumit-bose , @pbrezina , do you know (remember)?

sumit-bose commented 7 months ago

Hi,

iirc there was a long discussion with MIT Kerberos upstream about this and in the end it was agreed that over the KCM interface root should only see its own tickets and not be able to access others.

HTH

bye, Sumit

alexey-tikhonov commented 7 months ago

Ok, then we should remove those traces from doc page and the code.